Android 修改 .smali 文件
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12648196/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
modifying .smali files
提问by P basak
I reverse engineered some android apks to add some instrumentation for functional testing. I want to know given an smali as following how can I add something like
我对一些 android apk 进行了逆向工程,以添加一些用于功能测试的工具。我想知道给定一个 smali 如下如何添加类似的东西
Log.e(TAG, "some descritpion", e);
to each method in the .smali files.
.smali 文件中的每个方法。
.class public Ld;
.super Landroid/view/View;
.source "SourceFile"
# instance fields
.field a:Z
.field b:Lcom/rovio/ka3d/App;
# direct methods
.method public constructor <init>(Lcom/rovio/ka3d/App;)V
.locals 2
.parameter
.prologue
const/4 v1, 0x1
.line 317
invoke-direct {p0, p1}, Landroid/view/View;-><init>(Landroid/content/Context;)V
.line 313
const/4 v0, 0x0
iput-boolean v0, p0, Ld;->a:Z
.line 314
const/4 v0, 0x0
iput-object v0, p0, Ld;->b:Lcom/rovio/ka3d/App;
.line 318
iput-object p1, p0, Ld;->b:Lcom/rovio/ka3d/App;
.line 319
invoke-virtual {p0, v1}, Ld;->setFocusable(Z)V
.line 320
invoke-virtual {p0, v1}, Ld;->setFocusableInTouchMode(Z)V
.line 321
return-void
.end method
# virtual methods
.method public a(Z)V
.locals 4
.parameter
.prologue
const/4 v3, 0x0
.line 325
invoke-virtual {p0}, Ld;->getContext()Landroid/content/Context;
move-result-object v0
const-string v1, "input_method"
invoke-virtual {v0, v1}, Landroid/content/Context;->getSystemService(Ljava/lang/String;)Ljava/lang/Object;
move-result-object v0
check-cast v0, Landroid/view/inputmethod/InputMethodManager;
.line 326
invoke-virtual {p0}, Ld;->getWindowToken()Landroid/os/IBinder;
move-result-object v1
invoke-virtual {v0, v1, v3}, Landroid/view/inputmethod/InputMethodManager;->hideSoftInputFromWindow(Landroid/os/IBinder;I)Z
.line 327
if-eqz p1, :cond_0
.line 329
invoke-virtual {p0}, Ld;->getWindowToken()Landroid/os/IBinder;
move-result-object v1
const/4 v2, 0x2
invoke-virtual {v0, v1, v2, v3}, Landroid/view/inputmethod/InputMethodManager;->toggleSoftInputFromWindow(Landroid/os/IBinder;II)V
.line 330
invoke-virtual {p0}, Ld;->requestFocus()Z
.line 333
:cond_0
iput-boolean p1, p0, Ld;->a:Z
.line 334
return-void
.end method
.method public onCreateInputConnection(Landroid/view/inputmethod/EditorInfo;)Landroid/view/inputmethod/InputConnection;
.locals 3
.parameter
.prologue
.line 343
new-instance v0, La;
iget-object v1, p0, Ld;->b:Lcom/rovio/ka3d/App;
const/4 v2, 0x0
invoke-direct {v0, v1, p0, v2}, La;-><init>(Lcom/rovio/ka3d/App;Landroid/view/View;Z)V
.line 345
const/4 v1, 0x0
iput-object v1, p1, Landroid/view/inputmethod/EditorInfo;->actionLabel:Ljava/lang/CharSequence;
.line 350
const v1, 0x80090
iput v1, p1, Landroid/view/inputmethod/EditorInfo;->inputType:I
.line 351
const/high16 v1, 0x1000
iput v1, p1, Landroid/view/inputmethod/EditorInfo;->imeOptions:I
.line 352
return-object v0
.end method
回答by JesusFreke
The actual code to call Log.e() is fairly simple. It would involve something like:
调用 Log.e() 的实际代码相当简单。这将涉及以下内容:
const-string v0, "MyTag"
const-string v1, "Something to print"
# assuming you have an exception in v2...
invoke-static {v0, v1, v2}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;Ljava/lang/Throwable;)I
However, You have to be careful with what registers you use. You don't want to clobber a register that has a value that will be used later.
但是,您必须小心使用的寄存器。您不想破坏具有稍后将使用的值的寄存器。
So you have 2 options:
所以你有两个选择:
- Find "safe" unused registers, and use those (can be tricky)
- Increase the register count of the method, and use the newly created registers
- 找到“安全”未使用的寄存器,并使用它们(可能很棘手)
- 增加方法的寄存器数量,并使用新创建的寄存器
For number 2, the only gotcha is that the new registers aren't at the end of the register range - they're actually just before the parameter registers.
对于数字 2,唯一的问题是新寄存器不在寄存器范围的末尾——它们实际上就在参数寄存器之前。
For example, let's take a method that has 5 registers total (.registers 5), 3 of which are parameter registers. So you have v0 and v1 which are non-param registers, and p0-p2 which are the 3 parameter registers, and are aliases for v2-v4.
例如,我们举一个方法,它总共有 5 个寄存器 ( .registers 5),其中 3 个是参数寄存器。所以你有 v0 和 v1 是非参数寄存器,p0-p2 是 3 个参数寄存器,是 v2-v4 的别名。
If you need to add an additional 2 registers, you would bump it up to .registers 7. The parameter registers stay at the end of the register range, so p0-p2 are now aliased to v4-v6, and v2 and v3 are the new registers that are safe to use.
如果您需要添加额外的 2 个寄存器,您可以将其提高到.registers 7. 参数寄存器保持在寄存器范围的末尾,因此 p0-p2 现在别名为 v4-v6,v2 和 v3 是可以安全使用的新寄存器。
回答by CatShoes
A comment on registers that was too large for a comment to JesusFreke's answer. It is worth mentioning that if you have .localdirectives instead of .registerdirectives, the number scheme will be different. Roughly speaking, the directives relate in the following manner:
对寄存器的评论太大而无法对 JesusFreke 的回答发表评论。值得一提的是,如果您有.local指令而不是.register指令,则编号方案会有所不同。粗略地说,这些指令以下列方式相关:
.registers = .locals + NUMBER_OF_PARAMETERS
So if you have a function that has 4 parameters and uses 3 more registers the directives that could show up are .registers 7or .locals 3.
因此,如果您有一个具有 4 个参数并使用 3 个以上寄存器的函数,则可能显示的指令是.registers 7or .locals 3。
And you will get the registers setup as follows:
您将获得如下寄存器设置:
v0
v1
v2
v3 <==> p0
v4 <==> p1
v5 <==> p2
v6 <==> p3
回答by TheGT
One of the simpler ways to add smali code, is to write the java code in a test android app. Disassemble using apktool. Look at the smali files to identify the smali code and use it for injecting into other apps that you have disassembled.
添加 smali 代码的一种更简单的方法是在测试 android 应用程序中编写 java 代码。使用 apktool 反汇编。查看 smali 文件以识别 smali 代码并将其用于注入您已反汇编的其他应用程序。
Download apktool here : http://ibotpeaches.github.io/Apktool/
在这里下载 apktool:http: //ibotpeaches.github.io/Apktool/
